Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 22:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60404ae98c22d6285b7df7a6063ddf2dcae57b62d578e8e89a99f902a24f4080.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
60404ae98c22d6285b7df7a6063ddf2dcae57b62d578e8e89a99f902a24f4080.dll
-
Size
120KB
-
MD5
2271e123892d6e455c4ab9b81417ebed
-
SHA1
7d82fad983dc8e92a243b40236733ec10be8336d
-
SHA256
60404ae98c22d6285b7df7a6063ddf2dcae57b62d578e8e89a99f902a24f4080
-
SHA512
caac1e7065e156ac3f1af8a84cba486ba6f1bff62615df4faf4508e058d08c22f525329ba12a993a38a42d7c9c9c07d6548907e4ef7d7bd5d6547831361b7ce4
-
SSDEEP
1536:FVZSSBbsetpU25+p2vaMIbCWYUsBXLgHlRDX0dNu3vSguHdsUZKlUS9:FVZSShseta28pnMId2BgH30dyqgPUZY
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f7719c8.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7719c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7719c8.exe -
Executes dropped EXE 3 IoCs
pid Process 2412 f76f9f8.exe 2992 f76fb9e.exe 2188 f7719c8.exe -
Loads dropped DLL 6 IoCs
pid Process 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f76f9f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f7719c8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f7719c8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f9f8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7719c8.exe -
Enumerates connected drives 3 TTPs 16 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f76f9f8.exe File opened (read-only) \??\I: f76f9f8.exe File opened (read-only) \??\M: f76f9f8.exe File opened (read-only) \??\Q: f76f9f8.exe File opened (read-only) \??\E: f7719c8.exe File opened (read-only) \??\G: f7719c8.exe File opened (read-only) \??\J: f76f9f8.exe File opened (read-only) \??\K: f76f9f8.exe File opened (read-only) \??\R: f76f9f8.exe File opened (read-only) \??\E: f76f9f8.exe File opened (read-only) \??\L: f76f9f8.exe File opened (read-only) \??\N: f76f9f8.exe File opened (read-only) \??\H: f76f9f8.exe File opened (read-only) \??\O: f76f9f8.exe File opened (read-only) \??\P: f76f9f8.exe File opened (read-only) \??\H: f7719c8.exe -
resource yara_rule behavioral1/memory/2412-12-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-61-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-62-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-63-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-65-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-68-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2656-81-0x0000000000450000-0x0000000000462000-memory.dmp upx behavioral1/memory/2412-83-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-84-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-108-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-110-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2412-157-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2188-163-0x0000000000910000-0x00000000019CA000-memory.dmp upx behavioral1/memory/2188-217-0x0000000000910000-0x00000000019CA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f76fa56 f76f9f8.exe File opened for modification C:\Windows\SYSTEM.INI f76f9f8.exe File created C:\Windows\f774ad6 f7719c8.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f76f9f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7719c8.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2412 f76f9f8.exe 2412 f76f9f8.exe 2188 f7719c8.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2412 f76f9f8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe Token: SeDebugPrivilege 2188 f7719c8.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2112 wrote to memory of 2656 2112 rundll32.exe 30 PID 2656 wrote to memory of 2412 2656 rundll32.exe 31 PID 2656 wrote to memory of 2412 2656 rundll32.exe 31 PID 2656 wrote to memory of 2412 2656 rundll32.exe 31 PID 2656 wrote to memory of 2412 2656 rundll32.exe 31 PID 2412 wrote to memory of 1128 2412 f76f9f8.exe 19 PID 2412 wrote to memory of 1184 2412 f76f9f8.exe 20 PID 2412 wrote to memory of 1260 2412 f76f9f8.exe 21 PID 2412 wrote to memory of 1544 2412 f76f9f8.exe 25 PID 2412 wrote to memory of 2112 2412 f76f9f8.exe 29 PID 2412 wrote to memory of 2656 2412 f76f9f8.exe 30 PID 2412 wrote to memory of 2656 2412 f76f9f8.exe 30 PID 2656 wrote to memory of 2992 2656 rundll32.exe 32 PID 2656 wrote to memory of 2992 2656 rundll32.exe 32 PID 2656 wrote to memory of 2992 2656 rundll32.exe 32 PID 2656 wrote to memory of 2992 2656 rundll32.exe 32 PID 2656 wrote to memory of 2188 2656 rundll32.exe 33 PID 2656 wrote to memory of 2188 2656 rundll32.exe 33 PID 2656 wrote to memory of 2188 2656 rundll32.exe 33 PID 2656 wrote to memory of 2188 2656 rundll32.exe 33 PID 2412 wrote to memory of 1128 2412 f76f9f8.exe 19 PID 2412 wrote to memory of 1184 2412 f76f9f8.exe 20 PID 2412 wrote to memory of 1260 2412 f76f9f8.exe 21 PID 2412 wrote to memory of 1544 2412 f76f9f8.exe 25 PID 2412 wrote to memory of 2992 2412 f76f9f8.exe 32 PID 2412 wrote to memory of 2992 2412 f76f9f8.exe 32 PID 2412 wrote to memory of 2188 2412 f76f9f8.exe 33 PID 2412 wrote to memory of 2188 2412 f76f9f8.exe 33 PID 2188 wrote to memory of 1128 2188 f7719c8.exe 19 PID 2188 wrote to memory of 1184 2188 f7719c8.exe 20 PID 2188 wrote to memory of 1260 2188 f7719c8.exe 21 PID 2188 wrote to memory of 1544 2188 f7719c8.exe 25 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f7719c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f76f9f8.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60404ae98c22d6285b7df7a6063ddf2dcae57b62d578e8e89a99f902a24f4080.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\60404ae98c22d6285b7df7a6063ddf2dcae57b62d578e8e89a99f902a24f4080.dll,#13⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\f76f9f8.exeC:\Users\Admin\AppData\Local\Temp\f76f9f8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\f76fb9e.exeC:\Users\Admin\AppData\Local\Temp\f76fb9e.exe4⤵
- Executes dropped EXE
PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\f7719c8.exeC:\Users\Admin\AppData\Local\Temp\f7719c8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5da954a596ded9cec5dba9f0617f0d3ab
SHA1dfc94f68de06c421ec5b64a37239aba3d542836f
SHA25682bad8c0ec427c1e75d52713827cf8ecac91716547b1fb92bc29e0cf6238a2e7
SHA5124fb6569cc3767554b18b76ab0193007f7b9df2d40cfa00d3de96676f762acb4eb26b15c7da4962303a46778626337e597958726d5e39bf7d80a33c3ad6ea85a5
-
Filesize
97KB
MD59e960381edd8027d047ecca27e8d13c3
SHA1c3299ecb1cff0845178aeaaccda01b982ffa5e9f
SHA25669b423ec2d000db40dd407a6663f01a34d463695b34cbd7c77442aa97ef39615
SHA5129e7a2e6f6025b6e887a48e34474b6d37d702496011b7342f8fbb5080bfc862184370ecefee25aabd269c19a4505980d11857e01a598d79c7b2b4d4a4b1fbefb8